ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Complete EHRs or EHR Modules designed to provide this capability to be capable <strong>of</strong><br />
being configured by a specific user <strong>of</strong> Certified EHR Technology or based on<br />
organizational policy to generate alerts when certain actions (defined in the standard) had<br />
taken place. For example, a user-defined event could be when a patient’s health<br />
information is accessed outside <strong>of</strong> normal business hours. In this case, it was our<br />
expectation that Certified EHR Technology would alert a specific user <strong>of</strong> the Certified<br />
EHR Technology or the organization’s information security staff. We understand the<br />
point that commenters raise, however, about the potential for misinterpretation <strong>of</strong> this<br />
<strong>certification</strong> criterion and the consequent potential burden.<br />
Our overall intent for the third paragraph <strong>of</strong> this <strong>certification</strong> criterion was to<br />
ensure that Certified EHR Technology provided the capability for eligible pr<strong>of</strong>essionals<br />
and eligible hospitals to gain access to a specified portion, or a complete representation,<br />
<strong>of</strong> the Certified EHR Technology’s audit log. We believe that this capability is essential<br />
for eligible pr<strong>of</strong>essionals and eligible hospitals for risk analysis and other purposes.<br />
Therefore, in c<strong>onc</strong>ert with the feedback commenters provided on the second paragraph,<br />
we analyzed whether combining the third paragraph with the second paragraph into a<br />
single paragraph would express a clearer requirement. Accordingly, we have merged the<br />
two paragraphs and have adopted in the <strong>final</strong> rule a requirement that we believe more<br />
clearly expresses our intent for this <strong>certification</strong> criterion. We also note for clarification<br />
that the phrase “any <strong>of</strong> the elements specified by 170.210(b)” would also include, for<br />
example, “date” or that information has been “deleted.”<br />
Finally, we believe that it is important for our privacy and security <strong>certification</strong><br />
criteria to remain consistent with the HIPAA Security Rule to the degree that Certified<br />
Page 107 <strong>of</strong> 228